diff --git a/docs/docs/references/configuration/cli/trivy.md b/docs/docs/references/configuration/cli/trivy.md index e5edee8d8c..a22b0a9376 100644 --- a/docs/docs/references/configuration/cli/trivy.md +++ b/docs/docs/references/configuration/cli/trivy.md @@ -29,6 +29,7 @@ trivy [global flags] command [flags] target ### Options ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_clean.md b/docs/docs/references/configuration/cli/trivy_clean.md index 65b827136f..4479819a73 100644 --- a/docs/docs/references/configuration/cli/trivy_clean.md +++ b/docs/docs/references/configuration/cli/trivy_clean.md @@ -35,6 +35,7 @@ trivy clean [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_cloud.md b/docs/docs/references/configuration/cli/trivy_cloud.md index 985b7684af..f3d95cb04c 100644 --- a/docs/docs/references/configuration/cli/trivy_cloud.md +++ b/docs/docs/references/configuration/cli/trivy_cloud.md @@ -11,6 +11,7 @@ Control Trivy Cloud platform integration settings ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_cloud_config.md b/docs/docs/references/configuration/cli/trivy_cloud_config.md index f5f0c45b92..cbb85ff7bc 100644 --- a/docs/docs/references/configuration/cli/trivy_cloud_config.md +++ b/docs/docs/references/configuration/cli/trivy_cloud_config.md @@ -11,6 +11,7 @@ Control Trivy Cloud configuration ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_cloud_config_edit.md b/docs/docs/references/configuration/cli/trivy_cloud_config_edit.md index 7c7972897a..26a9e58332 100644 --- a/docs/docs/references/configuration/cli/trivy_cloud_config_edit.md +++ b/docs/docs/references/configuration/cli/trivy_cloud_config_edit.md @@ -19,6 +19,7 @@ trivy cloud config edit [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_cloud_config_get.md b/docs/docs/references/configuration/cli/trivy_cloud_config_get.md index 13c75fe1d6..6c6f6ce8f6 100644 --- a/docs/docs/references/configuration/cli/trivy_cloud_config_get.md +++ b/docs/docs/references/configuration/cli/trivy_cloud_config_get.md @@ -28,6 +28,7 @@ trivy cloud config get [setting] [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_cloud_config_list.md b/docs/docs/references/configuration/cli/trivy_cloud_config_list.md index 72b4f740fa..07772a5df7 100644 --- a/docs/docs/references/configuration/cli/trivy_cloud_config_list.md +++ b/docs/docs/references/configuration/cli/trivy_cloud_config_list.md @@ -19,6 +19,7 @@ trivy cloud config list [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_cloud_config_set.md b/docs/docs/references/configuration/cli/trivy_cloud_config_set.md index b6214cb833..95fdfc94f8 100644 --- a/docs/docs/references/configuration/cli/trivy_cloud_config_set.md +++ b/docs/docs/references/configuration/cli/trivy_cloud_config_set.md @@ -28,6 +28,7 @@ trivy cloud config set [setting] [value] [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_cloud_config_unset.md b/docs/docs/references/configuration/cli/trivy_cloud_config_unset.md index 8d57c4a0f3..e01871037a 100644 --- a/docs/docs/references/configuration/cli/trivy_cloud_config_unset.md +++ b/docs/docs/references/configuration/cli/trivy_cloud_config_unset.md @@ -28,6 +28,7 @@ trivy cloud config unset [setting] [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_config.md b/docs/docs/references/configuration/cli/trivy_config.md index d6518bd712..899e8e55c9 100644 --- a/docs/docs/references/configuration/cli/trivy_config.md +++ b/docs/docs/references/configuration/cli/trivy_config.md @@ -84,6 +84,7 @@ trivy config [flags] DIR ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_convert.md b/docs/docs/references/configuration/cli/trivy_convert.md index 5b4a7c535b..23929921cb 100644 --- a/docs/docs/references/configuration/cli/trivy_convert.md +++ b/docs/docs/references/configuration/cli/trivy_convert.md @@ -58,6 +58,7 @@ trivy convert [flags] RESULT_JSON ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md index ea53f338a1..dde53f11d9 100644 --- a/docs/docs/references/configuration/cli/trivy_filesystem.md +++ b/docs/docs/references/configuration/cli/trivy_filesystem.md @@ -178,6 +178,7 @@ trivy filesystem [flags] PATH ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index ab7f7540b4..a00d0801cc 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -199,6 +199,7 @@ trivy image [flags] IMAGE_NAME ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index a41bc2422b..f50769056c 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -187,6 +187,7 @@ trivy kubernetes [flags] [CONTEXT] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_login.md b/docs/docs/references/configuration/cli/trivy_login.md index c28c140774..07f0a3b618 100644 --- a/docs/docs/references/configuration/cli/trivy_login.md +++ b/docs/docs/references/configuration/cli/trivy_login.md @@ -29,6 +29,7 @@ trivy login [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_logout.md b/docs/docs/references/configuration/cli/trivy_logout.md index 569fa87fe3..61e52e9fee 100644 --- a/docs/docs/references/configuration/cli/trivy_logout.md +++ b/docs/docs/references/configuration/cli/trivy_logout.md @@ -15,6 +15,7 @@ trivy logout [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_module.md b/docs/docs/references/configuration/cli/trivy_module.md index 136a090009..a305c1fe1d 100644 --- a/docs/docs/references/configuration/cli/trivy_module.md +++ b/docs/docs/references/configuration/cli/trivy_module.md @@ -13,6 +13,7 @@ Manage modules ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_module_install.md b/docs/docs/references/configuration/cli/trivy_module_install.md index 400f375099..fed88072a3 100644 --- a/docs/docs/references/configuration/cli/trivy_module_install.md +++ b/docs/docs/references/configuration/cli/trivy_module_install.md @@ -15,6 +15,7 @@ trivy module install [flags] REPOSITORY ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_module_uninstall.md b/docs/docs/references/configuration/cli/trivy_module_uninstall.md index 7d78e18010..14c902ff96 100644 --- a/docs/docs/references/configuration/cli/trivy_module_uninstall.md +++ b/docs/docs/references/configuration/cli/trivy_module_uninstall.md @@ -15,6 +15,7 @@ trivy module uninstall [flags] REPOSITORY ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_plugin.md b/docs/docs/references/configuration/cli/trivy_plugin.md index a3d105d2cd..f0b2726acf 100644 --- a/docs/docs/references/configuration/cli/trivy_plugin.md +++ b/docs/docs/references/configuration/cli/trivy_plugin.md @@ -11,6 +11,7 @@ Manage plugins ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_plugin_info.md b/docs/docs/references/configuration/cli/trivy_plugin_info.md index e6982ffc03..6009d42137 100644 --- a/docs/docs/references/configuration/cli/trivy_plugin_info.md +++ b/docs/docs/references/configuration/cli/trivy_plugin_info.md @@ -15,6 +15,7 @@ trivy plugin info PLUGIN_NAME ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_plugin_install.md b/docs/docs/references/configuration/cli/trivy_plugin_install.md index ec3afd77a6..5b553e696d 100644 --- a/docs/docs/references/configuration/cli/trivy_plugin_install.md +++ b/docs/docs/references/configuration/cli/trivy_plugin_install.md @@ -28,6 +28,7 @@ trivy plugin install NAME | URL | FILE_PATH ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_plugin_list.md b/docs/docs/references/configuration/cli/trivy_plugin_list.md index ea789ea719..7bc7237c4b 100644 --- a/docs/docs/references/configuration/cli/trivy_plugin_list.md +++ b/docs/docs/references/configuration/cli/trivy_plugin_list.md @@ -15,6 +15,7 @@ trivy plugin list ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_plugin_run.md b/docs/docs/references/configuration/cli/trivy_plugin_run.md index 5befb58f90..e99ecd00e9 100644 --- a/docs/docs/references/configuration/cli/trivy_plugin_run.md +++ b/docs/docs/references/configuration/cli/trivy_plugin_run.md @@ -15,6 +15,7 @@ trivy plugin run NAME | URL | FILE_PATH ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_plugin_search.md b/docs/docs/references/configuration/cli/trivy_plugin_search.md index 931babfd59..d93b5d366a 100644 --- a/docs/docs/references/configuration/cli/trivy_plugin_search.md +++ b/docs/docs/references/configuration/cli/trivy_plugin_search.md @@ -15,6 +15,7 @@ trivy plugin search [KEYWORD] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_plugin_uninstall.md b/docs/docs/references/configuration/cli/trivy_plugin_uninstall.md index 69fbb1d5a1..669bf0e6cc 100644 --- a/docs/docs/references/configuration/cli/trivy_plugin_uninstall.md +++ b/docs/docs/references/configuration/cli/trivy_plugin_uninstall.md @@ -15,6 +15,7 @@ trivy plugin uninstall PLUGIN_NAME ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_plugin_update.md b/docs/docs/references/configuration/cli/trivy_plugin_update.md index da26290882..5b706e77eb 100644 --- a/docs/docs/references/configuration/cli/trivy_plugin_update.md +++ b/docs/docs/references/configuration/cli/trivy_plugin_update.md @@ -15,6 +15,7 @@ trivy plugin update ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_plugin_upgrade.md b/docs/docs/references/configuration/cli/trivy_plugin_upgrade.md index a3d363d564..0c5c6e1425 100644 --- a/docs/docs/references/configuration/cli/trivy_plugin_upgrade.md +++ b/docs/docs/references/configuration/cli/trivy_plugin_upgrade.md @@ -15,6 +15,7 @@ trivy plugin upgrade [PLUGIN_NAMES] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_registry.md b/docs/docs/references/configuration/cli/trivy_registry.md index 4a42cea3f4..bf7af19c75 100644 --- a/docs/docs/references/configuration/cli/trivy_registry.md +++ b/docs/docs/references/configuration/cli/trivy_registry.md @@ -11,6 +11,7 @@ Manage registry authentication ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_registry_login.md b/docs/docs/references/configuration/cli/trivy_registry_login.md index 6e963b3ca9..2f5460bf4f 100644 --- a/docs/docs/references/configuration/cli/trivy_registry_login.md +++ b/docs/docs/references/configuration/cli/trivy_registry_login.md @@ -25,6 +25,7 @@ trivy registry login SERVER [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_registry_logout.md b/docs/docs/references/configuration/cli/trivy_registry_logout.md index b3da44c5fe..809488f665 100644 --- a/docs/docs/references/configuration/cli/trivy_registry_logout.md +++ b/docs/docs/references/configuration/cli/trivy_registry_logout.md @@ -22,6 +22,7 @@ trivy registry logout SERVER [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md index 2ca0665012..1a6ac9bd93 100644 --- a/docs/docs/references/configuration/cli/trivy_repository.md +++ b/docs/docs/references/configuration/cli/trivy_repository.md @@ -177,6 +177,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL) ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index aa82284720..8a0d51085d 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -179,6 +179,7 @@ trivy rootfs [flags] ROOTDIR ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_sbom.md b/docs/docs/references/configuration/cli/trivy_sbom.md index 8a0c5fa76f..23bc6dc025 100644 --- a/docs/docs/references/configuration/cli/trivy_sbom.md +++ b/docs/docs/references/configuration/cli/trivy_sbom.md @@ -147,6 +147,7 @@ trivy sbom [flags] SBOM_PATH ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_server.md b/docs/docs/references/configuration/cli/trivy_server.md index 794cad7bb6..ed4e132dfe 100644 --- a/docs/docs/references/configuration/cli/trivy_server.md +++ b/docs/docs/references/configuration/cli/trivy_server.md @@ -45,6 +45,7 @@ trivy server [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_version.md b/docs/docs/references/configuration/cli/trivy_version.md index 70529c7445..99ab0b5202 100644 --- a/docs/docs/references/configuration/cli/trivy_version.md +++ b/docs/docs/references/configuration/cli/trivy_version.md @@ -16,6 +16,7 @@ trivy version [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_vex.md b/docs/docs/references/configuration/cli/trivy_vex.md index e7b4e31cb9..6b30950ad6 100644 --- a/docs/docs/references/configuration/cli/trivy_vex.md +++ b/docs/docs/references/configuration/cli/trivy_vex.md @@ -11,6 +11,7 @@ ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_vex_repo.md b/docs/docs/references/configuration/cli/trivy_vex_repo.md index 32777ba4ba..5758f05cb3 100644 --- a/docs/docs/references/configuration/cli/trivy_vex_repo.md +++ b/docs/docs/references/configuration/cli/trivy_vex_repo.md @@ -25,6 +25,7 @@ Manage VEX repositories ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_vex_repo_download.md b/docs/docs/references/configuration/cli/trivy_vex_repo_download.md index eebf63f811..fa6ec2ec6a 100644 --- a/docs/docs/references/configuration/cli/trivy_vex_repo_download.md +++ b/docs/docs/references/configuration/cli/trivy_vex_repo_download.md @@ -19,6 +19,7 @@ trivy vex repo download [REPO_NAMES] [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_vex_repo_init.md b/docs/docs/references/configuration/cli/trivy_vex_repo_init.md index 6e9a9b0f95..1d3be26287 100644 --- a/docs/docs/references/configuration/cli/trivy_vex_repo_init.md +++ b/docs/docs/references/configuration/cli/trivy_vex_repo_init.md @@ -15,6 +15,7 @@ trivy vex repo init [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_vex_repo_list.md b/docs/docs/references/configuration/cli/trivy_vex_repo_list.md index 5f1c77c23f..92b246f52a 100644 --- a/docs/docs/references/configuration/cli/trivy_vex_repo_list.md +++ b/docs/docs/references/configuration/cli/trivy_vex_repo_list.md @@ -15,6 +15,7 @@ trivy vex repo list [flags] ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md index 5d1ff11309..4fbb5d4d4a 100644 --- a/docs/docs/references/configuration/cli/trivy_vm.md +++ b/docs/docs/references/configuration/cli/trivy_vm.md @@ -163,6 +163,7 @@ trivy vm [flags] VM_IMAGE ### Options inherited from parent commands ``` + --cacert string Path to PEM-encoded CA certificate file --cache-dir string cache directory (default "/path/to/cache") -c, --config string config path (default "trivy.yaml") -d, --debug debug mode diff --git a/docs/docs/references/configuration/config-file.md b/docs/docs/references/configuration/config-file.md index 823f719337..31ecdad18d 100644 --- a/docs/docs/references/configuration/config-file.md +++ b/docs/docs/references/configuration/config-file.md @@ -9,6 +9,9 @@ These samples contain default values for flags. ## Global options ```yaml +# Same as '--cacert' +cacert: "" + cache: # Same as '--cache-dir' dir: "/path/to/cache" diff --git a/docs/docs/references/troubleshooting.md b/docs/docs/references/troubleshooting.md index 09b36eb73a..e696b61057 100644 --- a/docs/docs/references/troubleshooting.md +++ b/docs/docs/references/troubleshooting.md @@ -78,15 +78,27 @@ Common mistakes include the following, depending on where you are pulling images $ TRIVY_INSECURE=true trivy image [YOUR_IMAGE] ``` -On Unix systems other than macOS, you can specify the location of your certificate using `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables. +If you need to trust a custom CA certificate, you can provide a PEM-encoded bundle. -``` -$ SSL_CERT_FILE=/path/to/cert trivy image [YOUR_IMAGE] -``` +=== "Unix (except macOS)" -``` -$ SSL_CERT_DIR=/path/to/certs trivy image [YOUR_IMAGE] -``` + You can specify the location of your certificate using the `SSL_CERT_FILE` or `SSL_CERT_DIR` environment variables. + + ```bash + $ SSL_CERT_FILE=/path/to/ca.pem trivy image [YOUR_IMAGE] + ``` + + ```bash + $ SSL_CERT_DIR=/path/to/certs trivy image [YOUR_IMAGE] + ``` + +=== "All systems" + + Use the `--cacert` flag to point Trivy to a PEM-encoded CA certificate file, regardless of the operating system. + + ```bash + $ trivy image --cacert /path/to/ca.pem [YOUR_IMAGE] + ``` ### GitHub Rate limiting Trivy uses GitHub API for [VEX repositories](../supply-chain/vex/repo.md). diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go index e79daaca72..38e9d32556 100644 --- a/pkg/commands/artifact/run.go +++ b/pkg/commands/artifact/run.go @@ -131,6 +131,7 @@ func NewRunner(ctx context.Context, cliOptions flag.Options, targetKind TargetKi // Set the default HTTP transport xhttp.SetDefaultTransport(xhttp.NewTransport(xhttp.Options{ Insecure: cliOptions.Insecure, + CACerts: cliOptions.CACerts, Timeout: cliOptions.Timeout, TraceHTTP: cliOptions.TraceHTTP, })) diff --git a/pkg/commands/server/run.go b/pkg/commands/server/run.go index f53d92d9ab..0f29c5f351 100644 --- a/pkg/commands/server/run.go +++ b/pkg/commands/server/run.go @@ -22,6 +22,7 @@ func Run(ctx context.Context, opts flag.Options) (err error) { // Set the default HTTP transport xhttp.SetDefaultTransport(xhttp.NewTransport(xhttp.Options{ Insecure: opts.Insecure, + CACerts: opts.CACerts, Timeout: opts.Timeout, })) diff --git a/pkg/fanal/image/registry/ecr/ecr.go b/pkg/fanal/image/registry/ecr/ecr.go index 313d276f72..b6f3f0825d 100644 --- a/pkg/fanal/image/registry/ecr/ecr.go +++ b/pkg/fanal/image/registry/ecr/ecr.go @@ -37,6 +37,7 @@ func getSession(domain, region string, option types.RegistryOptions) (aws.Config // cf. https://github.com/aquasecurity/trivy/discussions/9429 client := awshttp.NewBuildableClient().WithTransportOptions(func(transport *http.Transport) { transport.TLSClientConfig.InsecureSkipVerify = option.Insecure + transport.TLSClientConfig.RootCAs = option.CACerts }) // create custom credential information if option is valid if option.AWSSecretKey != "" && option.AWSAccessKey != "" && option.AWSRegion != "" { diff --git a/pkg/fanal/types/image.go b/pkg/fanal/types/image.go index c648cd1206..08dd8e9935 100644 --- a/pkg/fanal/types/image.go +++ b/pkg/fanal/types/image.go @@ -1,6 +1,8 @@ package types import ( + "crypto/x509" + v1 "github.com/google/go-containerregistry/pkg/v1" ) @@ -87,6 +89,7 @@ type RegistryOptions struct { // SSL/TLS Insecure bool + CACerts *x509.CertPool // Architecture Platform Platform diff --git a/pkg/flag/global_flags.go b/pkg/flag/global_flags.go index 2089ca0fd7..954e0cfe78 100644 --- a/pkg/flag/global_flags.go +++ b/pkg/flag/global_flags.go @@ -1,10 +1,12 @@ package flag import ( + "crypto/x509" "os" "time" "github.com/spf13/cobra" + "golang.org/x/xerrors" "github.com/aquasecurity/trivy/pkg/cache" "github.com/aquasecurity/trivy/pkg/log" @@ -49,6 +51,12 @@ var ( Persistent: true, TelemetrySafe: true, } + CACertFlag = Flag[string]{ + Name: "cacert", + ConfigName: "cacert", + Usage: "Path to PEM-encoded CA certificate file", + Persistent: true, + } TimeoutFlag = Flag[time.Duration]{ Name: "timeout", ConfigName: "timeout", @@ -87,6 +95,7 @@ type GlobalFlagGroup struct { Quiet *Flag[bool] Debug *Flag[bool] Insecure *Flag[bool] + CACert *Flag[string] Timeout *Flag[time.Duration] CacheDir *Flag[string] GenerateDefaultConfig *Flag[bool] @@ -100,6 +109,7 @@ type GlobalOptions struct { Quiet bool Debug bool Insecure bool + CACerts *x509.CertPool Timeout time.Duration CacheDir string GenerateDefaultConfig bool @@ -113,6 +123,7 @@ func NewGlobalFlagGroup() *GlobalFlagGroup { Quiet: QuietFlag.Clone(), Debug: DebugFlag.Clone(), Insecure: InsecureFlag.Clone(), + CACert: CACertFlag.Clone(), Timeout: TimeoutFlag.Clone(), CacheDir: CacheDirFlag.Clone(), GenerateDefaultConfig: GenerateDefaultConfigFlag.Clone(), @@ -131,6 +142,7 @@ func (f *GlobalFlagGroup) Flags() []Flagger { f.Quiet, f.Debug, f.Insecure, + f.CACert, f.Timeout, f.CacheDir, f.GenerateDefaultConfig, @@ -156,6 +168,10 @@ func (f *GlobalFlagGroup) Bind(cmd *cobra.Command) error { func (f *GlobalFlagGroup) ToOptions(opts *Options) error { // Keep TRIVY_NON_SSL for backward compatibility insecure := f.Insecure.Value() || os.Getenv("TRIVY_NON_SSL") != "" + caCerts, err := loadRootCAs(f.CACert.Value()) + if err != nil { + return xerrors.Errorf("failed to load root CA certificates: %w", err) + } log.Debug("Cache dir", log.String("dir", f.CacheDir.Value())) @@ -165,6 +181,7 @@ func (f *GlobalFlagGroup) ToOptions(opts *Options) error { Quiet: f.Quiet.Value(), Debug: f.Debug.Value(), Insecure: insecure, + CACerts: caCerts, Timeout: f.Timeout.Value(), CacheDir: f.CacheDir.Value(), GenerateDefaultConfig: f.GenerateDefaultConfig.Value(), @@ -172,3 +189,25 @@ func (f *GlobalFlagGroup) ToOptions(opts *Options) error { } return nil } + +// loadRootCAs builds a cert pool from the system pool and the provided PEM bundle. +// Returns nil if caCertPath is empty or on failure. +func loadRootCAs(caCertPath string) (*x509.CertPool, error) { + if caCertPath == "" { + return nil, nil + } + + rootCAs, err := x509.SystemCertPool() + if err != nil || rootCAs == nil { + rootCAs = x509.NewCertPool() + } + + pem, err := os.ReadFile(caCertPath) + if err != nil { + return nil, xerrors.Errorf("failed to read root CA certificate: %w", err) + } + if ok := rootCAs.AppendCertsFromPEM(pem); !ok { + return nil, xerrors.Errorf("failed to append CA bundle") + } + return rootCAs, nil +} diff --git a/pkg/flag/options.go b/pkg/flag/options.go index d32823838a..b3c325256d 100644 --- a/pkg/flag/options.go +++ b/pkg/flag/options.go @@ -514,6 +514,7 @@ func (o *Options) RegistryOpts() ftypes.RegistryOptions { Credentials: o.Credentials, RegistryToken: o.RegistryToken, Insecure: o.Insecure, + CACerts: o.CACerts, Platform: o.Platform, AWSRegion: o.AWSOptions.Region, RegistryMirrors: o.RegistryMirrors, diff --git a/pkg/x/http/transport.go b/pkg/x/http/transport.go index 97a6990260..72c4c3750b 100644 --- a/pkg/x/http/transport.go +++ b/pkg/x/http/transport.go @@ -4,6 +4,7 @@ import ( "cmp" "context" "crypto/tls" + "crypto/x509" "fmt" "net" "net/http" @@ -30,6 +31,7 @@ func WithTransport(ctx context.Context, tr http.RoundTripper) context.Context { type Options struct { Insecure bool Timeout time.Duration + CACerts *x509.CertPool UserAgent string TraceHTTP bool } @@ -68,10 +70,11 @@ func NewTransport(opts Options) http.RoundTripper { } tr.DialContext = d.DialContext - // Configure TLS - if opts.Insecure { + // Configure TLS only when needed. + if opts.CACerts != nil || opts.Insecure { tr.TLSClientConfig = &tls.Config{ InsecureSkipVerify: opts.Insecure, + RootCAs: opts.CACerts, } }